installation and deployment guideinstallation and deployment guide 3introducing forcepoint one...
TRANSCRIPT
v18.05.558
Installation and Deployment GuideForcepoint™ One Endpoint
©2018 ForcepointAll rights reserved.10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin, TX 78759, USAPublished 2018Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners.This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from Forcepoint. Every effort has been made to ensure the accuracy of this manual. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.
Copyrights
Forcepoint™ One Endpoint
© 2018, Forcepoint LLCAll rights reserved.10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin TX 78759
Published 2018Printed in the United States of America
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from Forcepoint LLC.
Every effort has been made to ensure the accuracy of this manual. However, Forcepoint LLC makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not be liable for any error or for incidental or conse-quential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.
For other copyright information, refer to:
Trademarks
Trademarks
Forcepoint is a trademark of Forcepoint LLC. SureView, TRITON, ThreatSeeker, Sidewinder and Stone-soft are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Com-pany. All other trademarks are the property of their respective owners.
Microsoft, Windows Server 2008, Windows Server 2012, Windows XP, Internet Explorer, and Active Di-rectory are trademarks or registered trademarks of Microsoft Corporation.
The following is a registered trademark of Novell, Inc., in the United States and other countries: Novell Directory Services.
Oracle and Java are registered trademarks of Oracle Corporation and/or its affiliates.
Firefox is a registered trademark of the Mozilla Foundation.
Adobe, Acrobat, and Acrobat Reader are either registered trademarks or trademarks of Adobe Systems In-corporated in the United States and/or other countries.
This product includes software distributed by the Apache Software Foundation (http://www.apache.org).Copyright (c) 2000. The Apache Software Foundation. All rights reserved.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respec-tive companies and are the sole property of their respective manufacturers.
Installation and Deployment Guide 3
4 Forcepoint One Endpoint
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Topic 1 Introducing Forcepoint One Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Browser support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3DLP channel support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Printer drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Application controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Supported removable media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4LAN control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Topic 2 Obtaining or Creating the Installation Package . . . . . . . . . . . . . . . . . . . . . . . . 7
Creating installation packages from a package builder . . . . . . . . . . . . . . . . . . . . . 7
Topic 3 Deploying endpoint software in your enterprise . . . . . . . . . . . . . . . . . . . . . . . 15
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deploying Windows endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Manual deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuring Forcepoint One Endpoint to work with Firefox 53 and higher . 17Testing deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring and managing endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring the DLP Confirmation Dialog expiration time . . . . . . . . . . . . . . 18
Uninstalling endpoint client software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Forcepoint One Endpoint 1
2 Forcepoint One Endpoint
Introducing Forcepoint One Endpoint
Forcepoint One Endpoint will complement many Forcepoint products, the first of which is Forcepoint DLP versions 8.5.2 and later.
Forcepoint™ One Endpoint complements Forcepoint DLP to provide complete real-time protection against advanced threats and data theft for both network and roaming users. Forcepoint advanced technologies help you discover and protect sensitive data stored on endpoint machines and provide actionable forensic insight into potential attacks.
Forcepoint DLP protects organizations from data loss and data theft. It also identifies and remediates sensitive data stored on corporate endpoint machines, including laptops (requires Forcepoint DLP Network or Forcepoint Data Discovery).
For Forcepoint One Endpoint, you can use a Package Builder utility to generate Forcepoint One Endpoint software that runs on the endpoint machines to block, monitor, and log transactions (like Internet requests or proprietary data sharing) according to the organization’s security and acceptable use policies. Administrators can create policies that provide full visibility into inbound and outbound traffic, but that do not restrict use of the endpoint machine.
Forcepoint solutions include endpoint server components as well. These are part of your Forcepoint DLP deployments.
See System requirements, page 3 for information about the hardware requirements for endpoint client components.
Applies to: In this topic
● Forcepoint DLP v8.5.x
● Forcepoint DLP Endpoint v8.5.x
● Forcepoint One Endpoint for DLP
● Hardware requirements
● Operating system requirements
● Browser support
● DLP channel support
© 2018 Forcepoint 1
Introducing Forcepoint One Endpoint
About this guide
This guide describes how to deploy Forcepoint One Endpoint software on endpoint machines across your enterprise:
● System requirements, browser and operating system support, benefits, and other information.
● How to obtain or create installation packages.
● How to globally deploy Forcepoint One Endpoint software and install it on endpoint machines.
Related materials
● Server installation - Forcepoint Endpoint solutions rely on other Forcepoint products for server-side functions. If you have not already done so, you must install these products before beginning an on-premises Forcepoint server for Forcepoint One Endpoint installation.
■ Installing Forcepoint DLP (for Forcepoint DLP Endpoint)
● Endpoint configuration - Once the Forcepoint One Endpoint software is deployed to your client machines, you configure it in the Forcepoint Security Manager.
■ Forcepoint DLP Manager Help (for Forcepoint DLP Endpoint)
● Client software usage - If the software is not installed in stealth mode, users can interact with the user interface.
■ End User Guide for Forcepoint Endpoint Solutions
Forcepoint One Endpoint for DLP
Forcepoint One Endpoint for DLP is designed for organizations concerned about data loss originated at the endpoint machine, whether malicious or inadvertent. For example, if you want to prevent employees from taking sensitive data home on their laptops and printing it, posting to the web, or copy and pasting it, you would benefit from this endpoint solution.
Forcepoint One Endpoint for DLP is a comprehensive, secure, and easy-to-use endpoint data loss prevention (DLP) solution. It monitors real-time traffic and applies customized DLP policies over application and storage interfaces. You can also apply discovery policies to endpoint machines to determine what sensitive data they hold.
You can monitor user activity inside endpoint applications, such as the cut, copy, paste, print, and screen capture operations. You can also monitor endpoint web activities and know when users are copying data to external drives.
2 Forcepoint One Endpoint
Introducing Forcepoint One Endpoint
System requirements
Hardware requirements
Windows
Windows clients must meet the following minimal hardware requirements.
● Pentium 4 (1.8 GHz or above)
● At least 850 MB free hard disk space (250 MB for installation, 600 MB for operation)
● At least 1 GB RAM on Windows 7 or Windows 10.
Operating system requirements
Endpoint machines must be running one of the operating systems listed in the Forcepoint Certified Product Matrix.
Browser support
Forcepoint One Endpoint for DLP
When Forcepoint One Endpoint for DLP analyzes data via the web > Endpoint HTTP/HTTPS destination, it intercepts HTTP(S) posts as they are being uploaded within the browser. It does not monitor download requests.
The system analyzes posts from the browsers listed on the Forcepoint Certified Product Matrix.
DLP channel support
Forcepoint One Endpoint requires DLP version 8.5.2 or higher.
Email clients
Forcepoint One Endpoint for DLP analyzes all email messages sent from Forcepoint DLP Endpoint users, even if they send them to external web mail services like Yahoo.
For Windows, Forcepoint One Endpoint for DLP can analyze endpoint email generated by Microsoft Outlook and IBM Notes. (Note that rules are not enforced on Notes messages if Notes is configured to send mail directly to the Internet, rather than through the Domino server.)
Installation and Deployment Guide 3
Introducing Forcepoint One Endpoint
The system supports the desktop version of Outlook 2010, 2013, and 2016, but not the Windows 8 touch version. Forcepoint One Endpoint for DLP supports IBM Notes versions 8.5.1, 8.5.2 FP4, 8.5.3, and 9.
Forcepoint One Endpoint for DLP can detect incidents in S/MIME encrypted messages sent from Outlook 2013 (Windows) and Outlook 2016 (Windows).
Printer drivers
You can monitor data being sent from an endpoint machine to a local or network printer. Forcepoint One Endpoint for DLP supports drivers that print to a physical device, but not those that print to file or PDF.
Application controls
You can monitor or prevent sensitive data from being copied and pasted from an application like Microsoft Word or a web browser. This is desirable, because endpoint machines are often disconnected from the corporate network and can pose a security risk.
Forcepoint One Endpoint for DLP can monitor copy and paste operations on most browsers, such as Edge, Chrome, and Firefox.
It can also control access to files. For example, you can monitor uploads to cloud storage clients like DropBox and also IM/VOIP clients like GoToMeeting or Skype for Business.
Examples of the type of applications that Forcepoint One Endpoint for DLP can monitor out of the box are found in the Technical Library article, Applications Monitored in the Endpoint Application channel for Forcepoint DLP Endpoint. You can also add custom applications.
Supported removable media
● Removable media - You can monitor or prevent sensitive data from being transferred to removable media like thumb drives and external hard drives. If desired, you can configure Windows endpoint policies to encrypt files being transferred to removable media.
Forcepoint One Endpoint for DLP provides two methods to encrypt sensitive data that is being copied to removable media devices. You can:
■ Encrypt with profile key: Encrypt with a password deployed in the endpoint profile. This is for users who will be on an authorized machine—one with Forcepoint One Endpoint installed—when they try to decrypt files. Select Encrypt with profile key when configuring your action plans for endpoint removable media. The action defaults to permitted on Mac endpoint machines regardless of your action plan setting.
4 Forcepoint One Endpoint
Introducing Forcepoint One Endpoint
■ Encrypt with user password: Windows only. Encrypt with a password supplied by the Forcepoint One Endpoint user. This is for users who will be decrypting files from other machines—those without Forcepoint DLP Endpoint installed. Select Encrypt with user password when configuring your action plans for endpoint removable media.
See Configuring encryption for removable media in the Forcepoint DLP Administrator Help for more information.
● CD/DVD writers - Forcepoint One Endpoint for DLP monitors unencrypted data being copied to native Windows CD/DVD burner applications. It monitors non-native Windows CD/DVD burner applications as well, but only blocks or permits operations without performing content classification.
Non-native CD/DVD blocking applies to CD, DVD, and Blu-ray read-write devices on Windows 7, Windows 8, Windows 10, Windows Server 2012, and Windows Server 2016 endpoint machines.
● Mobile devices - On Windows 7 and Windows 10 (Creators Update, version 1703 and higher), Forcepoint One Endpoint can monitor unencrypted data being copied to mobile devices through the Windows Portable Devices (WPD) protocol. This allows you to use application file access monitoring on software clients like Apple iTunes and Samsung Kies when needed.
LAN control
Users commonly take their laptops home and then copy data through a LAN connection to a network drive or share on another endpoint machine. They also commonly take data from a shared folder (at work) to copy onto their laptop. With Forcepoint DLP you can control LAN operations to protect your data.
Endpoint LAN control is applicable to Microsoft sharing only.
Installation and Deployment Guide 5
Introducing Forcepoint One Endpoint
6 Forcepoint One Endpoint
Obtaining or Creating the Installation Package
To obtain Forcepoint One Endpoint installation packages, you must:
● Create them using the Forcepoint One Endpoint Package Builder (for remote filter, DLP, hybrid, and mixed deployments)
Before beginning this process, you must install the Forcepoint DLP (DLP module). Refer to the Technical Library for instructions.
If Forcepoint DLP Endpoint is already installed, it must be uninstalled before installing Forcepoint One Endpoint with DLP.
Creating installation packages from a package builder
If you are using Forcepoint DLP Endpoint with DDP Extension, you must use the Forcepoint One Endpoint Package Builder to create a custom installation package.
The installation package (a single executable file) is used to prepare to deploy the Forcepoint One Endpoint software to user endpoint machines.
The Forcepoint One Endpoint Package Builder is a Windows utility that can be used to create 32- and 64-bit Windows packages.
The utility can be found on any Windows server that includes Forcepoint DLP with DDP as well as on the Forcepoint downloads site.
1. Launch the Forcepoint One Endpoint Package Builder.
For on-premises deployments, do one of the following on the management server:
■ Forcepoint One Endpoint - Navigate to C:\Program Files (x86)\Websense\Web Security\DTFAgent\RemoteFilteringAgentPack\
Applies to: In this topic
● Forcepoint DLP v8.5.x
● Forcepoint DLP Endpoint v8.5.x
● Creating installation packages from a package builder
● Creating installation packages from a package builder
Installation and Deployment Guide 7
Obtaining or Creating the Installation Package
■ Forcepoint DLP - Select Start > All Programs > Forcepoint
■ On Windows Server 2012, browse to the Start page and select the Endpoint Package Builder.
For DLP deployments, you can download the latest Forcepoint One Endpoint Package Builder from the Forcepoint website:
■ Log on to My Account.
■ Navigate to ENDPOINT SECURITY, select a Forcepoint One Endpoint version, and then download the Package Builder.
The Forcepoint One Endpoint Package Builder utility extracts required files and launches.
2. On the Select Endpoint Components screen, select Forcepoint One Endpoint (DLP Endpoint).
3. Also select a language for the client components.
In the Forcepoint Security Manager, you can change the language used for displaying messages to Forcepoint DLP Endpoint users, but the language displayed in the user interface (buttons, captions, fields, etc.) can only be set during packaging.
Click Next when you are done.
8 Forcepoint One Endpoint
Obtaining or Creating the Installation Package
4. On the Installation Platform and Security screen, select the operating system or systems for which you want to create an installation package, create the administrator password that will be used to uninstall or modify Forcepoint One Endpoint software, and enable anti-tampering. When you are finished, click Next.
■ For security purposes, anyone who tries to modify or uninstall Forcepoint One Endpoint software is prompted for a password.
Once the Forcepoint One Endpoint software contacts the server, this password is overwritten with the password specified by an administrator. Set this password in one of the following places (it is not necessary to do it in both):
○ Forcepoint One Endpoint for DLP: In the Data Security module of Forcepoint Security Manager, go to Settings > General > System > Endpoint, then on the General tab, select Enable endpoint administrator password, and enter and confirm a password.
Note that password hashes are stored in an encrypted file. The system does not store plain text passwords.
If no password is specified, every user with admin privileges is able to uninstall the Forcepoint One Endpoint software from their endpoint machine.
Click Show characters to display the password characters while you type.
■ Sometimes when users cannot modify or uninstall the Forcepoint One Endpoint software, they try to delete the directory where the software is installed.
Click Protect installation directory from modification or deletion if you do not want users to be able to perform these functions.
Installation and Deployment Guide 9
Obtaining or Creating the Installation Package
5. On the Installation Path screen, specify the directory to use for installing Forcepoint One Endpoint software on each endpoint device. The directory path must contain only English characters.
■ Use default location: The Forcepoint One Endpoint software is installed in a default directory: \Program Files\Websense\Websense Endpoint.
■ Use this location: Manually specify the installation path for the Forcepoint One Endpoint software. Environment variables are supported.
6. Click Next.
At this point in the installation, the next screen displayed depends on the options selected on the Select Endpoint Components screen. For example, if you selected Forcepoint DLP Endpoint, the next screen will be the Server Connection screen.
Follow the instructions for the individual endpoint components below.
10 Forcepoint One Endpoint
Obtaining or Creating the Installation Package
Forcepoint DLP Endpoint
1. If you selected Forcepoint One Endpoint (DLP Endpoint) from the Select Endpoint Components screen, the Server Connection screen displays next:
IP address or hostname: Provide the IP address or hostname of the Forcepoint DLP server that endpoint machines should use to retrieve initial profile and policy information. Once configured, endpoint machines retrieve policy and profile updates from the endpoint server defined in their profiles.
Available in subsequent Forcepoint One Endpoint releases
Receive automatic software updates (Windows endpoint machines only): When new versions of Forcepoint One Endpoint are released, you may upgrade the software on each endpoint machine (this can be done via GPO or SMS), or you can configure automatic updates on this screen.
To automate software updates for Forcepoint DLP Endpoint or combined Forcepoint DLP Endpoint/Forcepoint Web Security Endpoint:
a. Prepare a server with the latest updates on it (see “Configuring the auto-update server” for details).
b. Select Receive automatic software updates.
c. Specify the URL of the server you created. (It cannot be secure http (https).)
d. Indicate how often you want endpoint machines to check for updates.
NoteWhen configuring the Endpoint Profile in the Forcepoint Security Manager (Data > Settings > Deployment > Endpoint Profiles), you may change the primary server and configure additional servers for load balancing and/or failover. See “Adding an endpoint profile, Servers tab” for details.
Installation and Deployment Guide 11
Obtaining or Creating the Installation Package
1. Click Next and the Client Settings screen displays:
12 Forcepoint One Endpoint
Obtaining or Creating the Installation Package
Complete the fields as follows:
2. Click Next.
User interface mode Select from the following 2 options:
● Interactive: A user interface is displayed on all endpoint machines. Users know when files have been contained and have the option to save them to an authorized location.
● Stealth: The Forcepoint One Endpoint for DLP user interface is not displayed to the user. In this mode, users will not know that Forcepoint DLP Endpoint is operating on their machine. The following features are affected in this mode:
■ The Forcepoint One Endpoint for DLP icon will not display in the task bar. Users will see the Forcepoint DLP Endpoint installation if they check the Windows Control Panel.
■ Users will not be able to view the client user interface. As a result, they will not have access to the connection status, the Contained Files viewer, the Log Viewer, or the bypass option. (Experienced users, however, will be able to see Contained folders and files in the installation path.)
■ Users will not receive pop-up messages.
■ Although administrators can choose Confirm and Encrypt with user password in the Data Security manager as part of an action plan for the endpoint machine, these are not possible enforcement actions. When these options are selected, operations that violate policy are blocked. The Encrypt with profile key action will still take place, however.
■ When a user attempts to access a blocked page, a 404 error message will display rather than a block page.
Because users will not see any notifications, stealth mode is best reserved for discovery tasks and audit-only policies.
Note that you must reinstall the endpoint machine and deploy a new profile to switch user interface modes.
Installation Mode Applies to Windows only. Select from the following 2 options:
● Full: Installs Forcepoint One Endpoint for DLP with full policy monitoring and blocking capabilities upon a policy breach. All incidents are reported in the Forcepoint Security Manager. Full Mode installation requires a reboot of the endpoint machine.
● Discovery Only: Configures Forcepoint One Endpoint for DLP to run discovery analysis but not data loss prevention. Discovery Only installation does not require a reboot.
Installation and Deployment Guide 13
Obtaining or Creating the Installation Package
Global settings
1. When you are done configuring your Forcepoint One Endpoint software selections, use the Save Installation Package screen to enter a directory path to use for storing the installation package before it is deployed to endpoint machines.
Either manually enter a path or click Browse to find the location.
2. Click Finish.
You will see a system message if the package is created successfully. If the creation of the package fails, you will see an error message. If this happens, contact Forcepoint Technical Support for assistance.
3. Click OK.
Once the packaging tool has finished, the packages are created in the designated path. Refer to Deploying endpoint software in your enterprise for instructions on distributing the package to the endpoint machines.
14 Forcepoint One Endpoint
Deploying endpoint software in your enterprise
This section describes how to deploy Forcepoint One Endpoint software on endpoint machines.
Before you begin
● For best practice, start by deploying and testing Forcepoint One Endpoint software to a few local network machines, then increase to a limited number of remote machines before deploying the software throughout your enterprise.
● Check that your endpoint machines meet the minimum system requirements. See System requirements, page 3 for details.
● Exclude the following directories from any antivirus software that is deployed to endpoint machines:
■ The endpoint installation folder
■ Endpoint processes:
○ wepsvc.exe○ dserui.exe○ ProxyUI.exe○ RFUI.exe○ fppsvc.exe
■ EndpointClassifier.exe and kvoop.exe
Applies to: In this topic
● Forcepoint DLP v8.5.x
● Forcepoint DLP Endpoint v8.5.x
● Before you begin
● Deploying Windows endpoints
● Configuring and managing endpoints
● Configuring and managing endpoints
● Uninstalling endpoint client software
Installation and Deployment Guide 15
Deploying endpoint software in your enterprise
● Ensure the Forcepoint One Endpoint installation path is not encrypted by file and folder encryption software. All folders and files within the installation path must be left unencrypted.
● Forcepoint One Endpoint can be installed on an endpoint machine encrypted using full disk encryption. Forcepoint One Endpoint must be installed after the disk has been encrypted.
Deploying Windows endpoints
There are a few ways to distribute the Forcepoint One Endpoint software on Windows endpoint machines, including virtual desktop clients running Windows:
● Manually on each endpoint machine
See Manual deployment, page 16.
● Using System Center Configuration Manager (SCCM) or Systems Management Server (SMS)
See Creating and distributing Forcepoint endpoints using SCCM or SMS for details.
● Using a Microsoft Group Policy Object (GPO) or other third-party deployment tool for Windows. See Distributing the endpoint via GPO for details. To distribute executables created with the Package Builder via GPO, contact Forcepoint Technical Support.
Manual deployment
Stand-alone Forcepoint One Endpoint packages
Windows packages created with the Package Builder contain a single executable file: FORCEPOINT-ONE-ENDPOINT-x32.exe or FORCEPOINT-ONE-ENDPOINT-x64.exe. If you are installing only Forcepoint DLP Endpoint software:
1. Copy one of these files to the client machine.
2. Double-click the executable file and step through the installation wizard.
ImportantAfter deploying the installation package, you must restart the Forcepoint One Endpoint software to complete the installation process.
16 Forcepoint One Endpoint
Deploying endpoint software in your enterprise
Configuring Forcepoint One Endpoint to work with Firefox 53 and higher
Forcepoint One Endpoints for DLP are unable to support the following in Firefox v53 and higher versions on Windows endpoint machines:
● Sensitive data protection in web-based mail services (e.g., Gmail and Yahoo Mail)
● Google Drive
When you deploy the Forcepoint One Endpoint software to Windows endpoint machines with Firefox v53 or higher installed, follow the below deployment guidance:
Forcepoint One Endpoint for DLP:
Edit the following configuration files to enable silent installation of the Firefox extension:
1. Open the Firefox installation folder. For example: C:\Program Files (x86)\Mozilla Firefox\defaults\pref.
2. Add the following text to the channel-prefs.js file:
pref("general.config.obscure_value", 0);
pref("general.config.filename", "firefox.cfg");
3. Create a new file named firefox.cfg and put it into the Firefox folder. For example, C:\Program Files (x86)\Mozilla Firefox.
4. Add the following text to firefox.cfg:
// empty comment up top - must be here
defaultPref("extensions.autoDisableScopes", 0);
defaultPref("extensions.enabledScopes", 15);
5. Restart Firefox.
Testing deployment
To confirm that the Forcepoint One Endpoint software is installed and running on a machine:
● When Forcepoint DLP Endpoint is installed in interactive mode, an icon ( )
displays on the endpoint machine’s task bar. Click the icon for status information. (No icon shows in stealth mode.)
Most failed Forcepoint One Endpoint software installation issues are permission related. An endpoint installation requires local administrator rights.
Configuring and managing endpoints
Forcepoint DLP Endpoint requires configuration in the Forcepoint Security Manager. This entails:
Installation and Deployment Guide 17
Deploying endpoint software in your enterprise
1. Adding an endpoint profile to the Data Security module of the Forcepoint Security Manager or using the default. A default profile is automatically installed with the client package. (Settings > Deployment > Endpoint.)
2. Rearranging endpoint profiles. (Settings > Deployment > Endpoint.)
3. Configuring endpoint settings. (Settings > General > System > Endpoint.)
4. Creating endpoint resources. (Main > Policy Management > Resources > Endpoint Devices/Endpoint Applications/Application Groups.)
5. Creating or modifying a rule for endpoint channels. (Main > Policy Management > DLP / Discovery Policies, Destination tab.)
6. Defining the type of endpoint machines to analyze, as well as the network location. (Main > Policy Management > DLP / Discovery Policies, Custom Policy wizard, Source tab.) Use the Network Location field to define the behavior of the endpoint machine on and off the network.
See the Forcepoint DLP Manager Help for specific instructions.
Configuring the DLP Confirmation Dialog expiration time
The Confirmation Dialog window displays to end users when they perform an action that is against policy, but may still be performed if a business reason is given. The Confirmation Dialog timeout defaults to 30 seconds, but it is configurable to between 9 and 58 seconds in Forcepoint DLP.
To configure this expiration time, contact Forcepoint Support.
18 Forcepoint One Endpoint
Deploying endpoint software in your enterprise
Uninstalling endpoint client software
Windows uninstallation
You can uninstall Forcepoint One Endpoint software two ways:
● Locally on each endpoint machine
● Remotely through a deployment server or distribution system
Local uninstallation
1. Go to Start > Control Panel > Programs and Features.
2. Scroll down the list of installed programs, select Forcepoint One Endpoint, and click Uninstall.
3. Click Yes in the confirmation message asking if you are sure you want to delete the Forcepoint One Endpoint software.
4. You may be prompted to provide an administrative password, if you defined one. If so, enter the password in the field provided and click OK.
5. You will see a system message indicating you must restart your endpoint machine. Click Yes to restart or No to restart your endpoint machine later. Once the endpoint machine has been restarted, the configuration changes apply.
NoteIf you configured an administrative password, you must supply it to uninstall the software.
Installation and Deployment Guide 19
Deploying endpoint software in your enterprise
Remote uninstallation with deployment server
If you use a deployment server to deploy Forcepoint One Endpoint software, you can perform a silent uninstall by running the following command (does not apply to stand-alone DLP).
msiexec /x {product_code} /qn XPSWD=password
where:
■ {product_code} is a unique identifier (GUID) that can be found in the setup.ini file of each installation package or the system registry. It is different for each version and bit type (32-bit versus 64-bit).
■ password is the administrator password that you entered when creating the installation package.
To find the setup.ini file, use a file compression tool like WinZip or 7-Zip to extract the contents of the installation package executable.
To perform a silent uninstall that does not require a reboot, add the /norestart parameter as follows:
msiexec /x {ProductCode} /qn /XPSWD=password /norestart
The command switches are summarized below.
Remote uninstallation using distribution systems
You can uninstall Forcepoint One Endpoint software remotely by using distribution systems. If you used an SMS distribution system to create packages for installation, those packages can be reused, with a slight modification, for uninstalling the software. If a package was not created for deployment of the Forcepoint One Endpoint software, a new one needs to be created for uninstalling.
To uninstall with a package:
1. Follow the procedure for Creating and distributing Forcepoint endpoints using SDCCM or SMS.
2. In step 1, select Per-system uninstall.
3. Complete the remaining procedures.
4. After deploying the package, Forcepoint One Endpoint software will be uninstalled from the defined list of endpoint machines.
©2018 Forcepoint
Function Switch
Silent uninstall* msiexec /x {ProductCode} XPSWD=password /qn
Silent uninstall without reboot*
msiexec /x {ProductCode} XPSWD=password /qn /norestart
20 Forcepoint One Endpoint